Continuing the DDoS Arms Race

Denial-of-Service (DoS) attacks are some of the oldest Internet threats and continue to be one of the top risks that companies are focusing their security strategy on. Banks and online gaming companies tend to lead the pack in building out the recommended dynamic, multilayered security infrastructure to detect and mitigate what has grown into Distributed-Denial-of-Service (DDoS) attacks with various large scale enterprises and online-retailers to follow. However, no one is immune to the mayhem – midsized retailers and even our favorite pizza shops have been impacted.  As stated in an article by Peter parish on League of Legends DDOS attack, “Defending against DDOS attacks is an arms race that [one must] always be engaged in, and committed to reducing the [resulting] pain as swiftly as possible when the service is being impacted by malicious attacks”, and no matter who you are or what measures are in place one must remain vigilant.   

Today’s DDoS attacks have become more sophisticated and powerful, and have even moved up the stack to pound the application.  According to one report that I am not calling out at this time, the number of 20 Gbps DDoS attacks doubled in Q1 of 2014 well over that reported for all of in 2013, and there was increase in the number of attacks above 100 Gbps in this same period. I can believe this just skimming through highlights on the internet which reveal similar findings.  I am certain that you may have read about a number of DDoS attacks reported by media as large as 300Gbps.  These cases tend to be more rare, but viable and growing.  Although many attackers do not have such capacity to execute on a high-volume attack that large in their “volunteer’ botnets (where many people are downloading the same attack tool and directing it at the same target), don’t under estimate the potential for such an attack on your organization.  Botnets are now being created anonymously, where attackers are installing tools on internet connected devices or servers unbeknownst to owners to drive larger DDoS attacks, host or visit websites and execute intense application level attacks.  The was certainly seen with one recent headless browser attack that employed 180,000 IP addresses generating some 700 million hits per day.  The easy availability of bots/botnets for hire (at a price of course – they are not free) and simple distributed crowd-sourced attack tools that utilize multiple technologies have made L2-L7 DDoS attacks more stealthy, resilient, innovative and successful at exploits that jeopardize applications, and consume resources, bandwidth and connections -- leaving organizations of all sizes and types at risk and out of service.

So what are you doing now to strengthen your defense?

Knowledge is power when protecting against DDoS attacks.  The more you know about the types of traffic and volumes your network can handle, the  better you can respond with the right protective measures before services can be interrupted.  Understand in detail the source/origin of traffic, how it enters the network, what it is composed of and how much volume there should be at any given time.  Also, be aware of any changes in the norm of the traffic patterns.  This is generally an indication of an attack or should suspicious activity.   Most importantly be able easily assess and relate the state of traffic and suspicious activity at every level in the OSI attack.  This may require more advanced forensics and SIEM systems in addition to combined information from an ADC, firewalls and other security device/solutions.  We’ve improved visibility for you with F5 Advanced Firewall Manager (AFM ) v11.6 by centralizing information flow for network and HTTP DoS reports (combining reports from F5 Application Security Manager (ASM)  and AFM) and providing greater intelligence about stateful attacks.  For ASM we’ve added a unique dashboard that consolidates multiple reports into a single-pane view, providing insight about app server health, historical trend data and current state of attacks all with query and analysis capabilities and links to in-depth details about events, threats techniques, response time, traffic and more.

Stay aware of DDOS trends.  Understanding the attack trends globally and adapting protection measures accordingly will keep your severity strategy effective.  For instance, UDP attacks have increased in use, so you may want to look closely at the types of policies and FW rules you have in place to filter out UDP traffic, to advert a potential service outage caused when the victimized system is forced to send many ICMP packets. Also, with the increase in frequency and volume of DDoS attacks firewall performance and scalability becomes a factor – spinning up additional devices (or VEs) and gaining more granular controls that unburden firewalls of suspicious traffic becomes essential.  Sources for trending information include reports commonly published by reputable sources like vendors, consortiums/organization and security media and analysts.

Improve upon and protect against automated attacks. With the increase in attacks at the application level you will want to improve upon how you distinguish automated traffic from real human traffic.  Although there is some need for automated traffic, you want to identify any unauthorized scrapping or scanning of your proprietary information and the sooner the better.  In ASM v11.6 we have added an additional layer to bot protections which provide always-on proactive bot defense that identifies automated application attacks before attacks commence, stopping attackers upon first attempting to access the application.  This functionality greatly compliments capabilities that already mitigate attacks in progress (reactive protections).

Call in the experts when you are under attack.  It is important to know who in your organization can step in to take action when you are under attack or feel an attack may take place.  Also be aware of service providers and security partners (like F5) who may help in assessing or stopping the treat and providing expertise in creating custom rules to mitigate threats.  Keep this information at hand and visible for all.



Use the most up-to-date DDoS security products. Security requires a multi-layered approach to mitigating attacks by combining multiple security controls to protect resources and data. Make certain tools you rely on for a layered defense offer protection as the scheme of attacks change.  As your partner in security F5 recently enhanced the capabilities of our firewall solutions to help ensure our customers have the most effective protections for guarding against sophisticated DDoS attacks. These updates are part of the large scheme of BIG-IP 11.6 release which geared towards providing better orchestration, visibility, stronger DDoS protections with improved performance. Below are a few highlights, but check out the version 11.6 release notes for ASM, AFM and the BIG-IP line of products for more details on what is new in version 11.6.

Taking up arms against DDoS with F5

Lastly, I just want to mention that with the release of BIG-IP 11.6 we have added functionality that strengthens existing DDoS capabilities to allow you to apply a stronger defense against sophisticated attacks.  AFM provides over 100 attack signatures with more HW based vectors than any other vendor and more granularity in preventing layer 3-5 DDoS attacks, especially where there is concern for IGMP floods, and SIP and DNS UDP attacks. Additionally this release extends existing protections for capacity attacks on the flow/transaction state tracking structures to include a richer set of parameters and algorithms for more effective policies that enable Flow-Table limits with greater granularity.  We’ve also enabled traffic sampling for AFM under fast L4 to provide high speed sampling and scrubbing, allowing you to more effectively capture live traffic samples to examine DoS traffic patterns and create more effective rules.  BIG-IP systems can now process some or all of the Layer 4 traffic passing through the system to unburden the firewall, and increase performance.  iRules  interaction has also been  extended to leverage IP Intelligence services, enable statistical traffic subsampling, and detect stateful attacks on flowtables –protecting not only the data center but the BIG-IP AFM and the applications behind it. BIG-IP 11.6 also delivers enhancements to our Web application firewall (ASM) to enable stream-lined Captcha-based security, more effective blocking of attacks from high-risk global regions and more immediacy in detecting and patching application vulnerabilities.  Take time to read the release notes for a complete picture of what’s inside of BIG-IP 11.6 and the datasheets for ASM, AFM and BIG-IP itself.  Contact your F5 rep for more details.  Also, stay tuned for blogs touching on protections against automated and brute force attacks, headless browser attacks, more effectively discerning against false positives and negatives with ASM.  Until next time, I look forward to hearing from you.

More Information

ASM: Datasheet / 11.6 Release Notes / Product Page

AFM: Datasheet / 11.6 Release Notes / Product Page

Published Sep 05, 2014
Version 1.0

Was this article helpful?

No CommentsBe the first to comment